Closing the gap on vendor vulnerabilities

While banks remain on guard for robbers, unscrupulous employees and hackers—keeping the proverbial vault sealed shut—trusted third party vendors could leave the wide door open to cybercriminals.

Outsourcing, connectivity and cloud-based solutions have delivered tremendous benefits to community banks but also come with risk. With increasing ardor, hackers and criminals exploit third-party vendors as an end-around to attack the financial services industry. Even seemingly benign parties such HVAC contractors and maintenance companies could unknowingly threaten connected systems if they’re compromised.

Think back to the infamous, record-setting Target breach of 2013, when malefactors bored through the HVAC system via an outside vendor, Fazio Mechanical Services of Sharpsburg, Pennsylvania. The damages: data stolen from 40 million credit and debit cards, and settlements totaling $18.5 million.(In a baffling case to file under “Huh?” Target immediately switched to EMV chips post-breach but dragged its feet on accepting the safe option of Apple Pay until 2019.)

Now more than ever, banks must implement strong programs to assess their vendors’ security postures and continually strive to close the gap on back-door vulnerabilities.

‘You can’t outsource the risk’

Nowadays, it only takes a little line of nefarious code in a software update to wreck your world.

In February 2016, hackers stole $81 million from Bangladesh Bank in just hours, exploiting weaknesses in SWIFT. A year later in March 2017, Scottrade Bank exposed private information on 20,000 customers when a third-party vendor uploaded an unprotected data set. Suddenly, bank executives had to bone up on the term “MSSQL database.”

And in July 2017, one of the largest banks in Italy exposed 400,000 customers after an “external commercial partner” was attacked, according to Reuters.

“Every time you read about a cyber incident, there’s a good chance it has some sort of third-party component to it: The vendor got hacked, therefore the bank got hacked,” says Alejandro Mijares, manager of risk advisory services at the Miami accounting firm of Kaufman Rossin.

The risks are growing across the economy in virtually every industry.

In a November survey by the Ponemon Institute, nearly 60 percent of 1,000 chief information security officers reported a data breach caused by a vendor or third party. But it gets worse: A quarter of them weren’t even sure if they had been breached in the past, while more than half said they don’t know if their vendors’ safeguards are enough to prevent a breach.

That doesn’t bode well at a time when so many vendors have access to customer information and even janitorial companies could create a system vulnerability that gives the term “mop up” a notorious new meaning.

The reality is while banks can outsource technology and operations, “You can’t outsource the risk,” says Marie Blake, former executive vice president and chief compliance officer for BankUnited. “Twenty years ago, banks would outsource to vendors and say they didn’t own the risk anymore. But that doesn’t hold in today’s world.”

Frameworks to fight the gaps

The old-school way of validating a vendor’s security practices was to get them to fill out a questionnaire. That alone won’t cut it in today’s environment, says Jacob Olcott, vice president of communications and government affairs at BitSight, a security ratings firm.

Banks must be more proactive in scrutinizing not only their own internal security but that of their vendors as well. And banks can study several frameworks banks to ensure they’re performing due diligence to validate vendors.

You can start with the bulletin released by the Office of the Comptroller of Currency in 2013. It addresses how to create a stronger vendor management program and says to conduct vendor risk assessments that identify high-risk parties, along with how they communicate and connect to the bank. Another framework source is the FFIEC Cybersecurity Assessment Tool (CAT), updated in May 2017. One of its five domains focuses on vendor management and has 51 declarative statements that walk banks through vendor-related issues.

But the best security starts from the onset of the relationship, Blake says. She recommends that banks build the right to perform independent security audits into contracts, using detailed language about the frequency and methodology behind them.

Contracts should also include clearly-written policies about how vendors will inform banks of new weaknesses or breaches.

“Quite honestly, without that being built [into the contract] they don’t have to do any of that and don’t have to allow you to come in and audit or test the functions,” Blake says. “It’s really important that the language is structured in the right way.”

You’ll also want to keep an eye on security throughout your lifecycle with the vendor, including at renewals and dissolution. That means you must continuously monitor and test security practices. Whereas banks often conduct quarterly risk assessments and penetration tests, service providers may only do it annually if at all, Mijares says.

Create a controlled environment

Are you really just going to trust every vendor on face value that they’re doing what they say? Don’t.

“You need to understand the controlled environment of the vendor and have ongoing monitoring. This is where there’s often a gap,” Mijares points out.

It’s important to track security performance over time as relationships and data sensitivity can change. If a vendor expands a relationship with the bank or gains access to a new data set, their risk profile may also rise. At that point, the bank may need to approve and monitor a different type of control, Mijares says.

Because regulatory requirements call for the ongoing monitoring of third parties, banks will want to obtain proper documents from vendors to present to regulators when needed. That means keeping audit reports, contracts, non-disclosure agreements and termination clauses. While regulators used to concentrate mainly on the banks, they now visit many banking vendors and ask them to perform audits, put controls in place and to with the file FFIEC, Mijares says.

“With new technology comes risk, so it’s going to be there all the time,” he notes. “But [regulators] are making sure service providers raise their level of security.”

After all, financial services organizations and their vendors will always remain a target—and in that sense, no one wants to become a Target.